Proactive intrusion protection system

ABSTRACT

A system for proactive intrusion protection comprises a memory operable to store data identifying a plurality of compromising entities, comprising at least one of a device identifier or a contact identifier, and a processor communicatively coupled to the memory and operable to receive, from a remote application associated with a remote device and with the system, information regarding a destination of the outgoing communication. The processor is further operable to determine an entity associated with the destination of the outgoing communication and to determine that the entity associated with the destination matches at least one of the plurality of compromising entities based on comparing the data identifying the plurality of compromising entities and the entity associated with the destination of the outgoing communication. Furthermore, the processor is operable to send to the remote application, before the outgoing communication is sent, a signal configured to block the outgoing communication.

TECHNICAL FIELD

The present disclosure relates generally to intrusion protectionsystems, and more particularly to proactive network intrusion protectionsystems that protect remote devices.

BACKGROUND

Users of various institutions, and networks associated with thoseinstitutions, can be susceptible to intrusions in a number of ways.Entities may contact or attempt to retrieve information from a remotedevice owned by the user in order to access that user's account with thevarious institutions. For example, an entity seeking to misappropriate auser's account may contact that user's mobile device by phone, email,SMS, or any other means in an attempt to elicit information from theuser in order to access the user's account. In addition, such entitiesmay attempt to improperly access and control the remote device in anattempt to access the user's account through the remote device. Forexample, the user may have an application installed on his mobile phonethat allows the user to connect to a system associated with aninstitution. The connection between the remote device and theinstitution via the application may be a target for an entity that seeksto misappropriate the user's account with that institution.

Various names for these intrusion activities exist, including“phishing,” “vishing,” “pharming,” “smishing,” similar threats viasocial media, etc., as well as improperly obtaining the user's remotedevice and attempting to access the user's account. In addition, uponbecoming aware of a general threat that may affect the user, theinstitution may reactively notify the user of the general threat, forexample, by sending the user an SMS or email detailing the generalthreat. As another example, the institution may reactively notify theuser of an actual intrusion against the user that already occurred.

SUMMARY OF EXAMPLE EMBODIMENTS

In accordance with the present disclosure, disadvantages and problemsassociated with intrusion protection systems may be reduced oreliminated, and one or more technical advantages may be realized.

According to particular embodiments of the present disclosure, a systemcomprises a memory and a processor. The memory is operable to store dataidentifying a plurality of compromising entities, where the datacomprises at least one of a device identifier or a contact identifier.The processor is communicatively coupled to the memory and the processoris operable to receive, from a remote application associated with aremote device and with the system, information regarding a pendingoutgoing communication, where the information comprises informationregarding a destination of the outgoing communication. The processor isfurther operable to determine an entity associated with the destinationof the outgoing communication by analyzing the information regarding theoutgoing communication. Furthermore, the processor is operable todetermine that the entity associated with the destination of theoutgoing communication matches at least one of the plurality ofcompromising entities based, at least in part, on comparing the dataidentifying the plurality of compromising entities and the entityassociated with the destination of the outgoing communication. Theprocessor is also operable to send, to the remote application associatedwith the system, and before the outgoing communication is sent, a signalconfigured to block the outgoing communication.

According to other particular embodiments of the present disclosure, asystem comprises a memory and a processor. The memory is operable tostore data identifying a plurality of compromising entities, where thedata comprises at least one of a device identifier or a contactidentifier. The processor is communicatively coupled to the memory andthe processor is operable to receive, from a remote applicationassociated with a remote device and with the system, informationregarding a pending outgoing communication, where the informationcomprises information regarding a destination of the outgoingcommunication. The processor is further operable to determine an entityassociated with the destination of the outgoing communication byanalyzing the information regarding the outgoing communication.Furthermore, the processor is operable to determine that the entityassociated with the destination of the outgoing communication matches atleast one of the plurality of compromising entities based, at least inpart, on comparing the data identifying the plurality of compromisingentities and the entity associated with the destination of the outgoingcommunication. The processor is also operable to send, to the remoteapplication associated with the system, and before the outgoingcommunication is sent, an alert indicating that the destination of theoutgoing communication matches a compromising entity.

Digital telecommunication networks and other computer networks areconfronted with numerous security vulnerabilities inherent to computernetworks. Often, communication and other networks are untrusted andvulnerable to entities seeking information associated with networkusers. These security vulnerabilities are further exacerbated when thenetworks are also used to communicate sensitive information, such asinformation regarding users' accounts with various institutions. Forexample, cellular, Internet (e.g., via WiFi), and other communicationnetworks serving remote devices (e.g., mobile devices) are untrusted andvulnerable and can be accessed and/or used directly or indirectly byentities seeking to collect and/or request a user's sensitiveinformation. In addition, the types of communications used on suchnetworks, such as SMS, email, Internet communications, and others, arealso inherently vulnerable to entities seeking to access or request auser's sensitive information. Not only are the types of communicationsvulnerable, but also users are vulnerable to incoming and outgoingcommunications using these same types of communications (e.g., telephonecalls, MMS, or SMS to or from an entity seeking to misappropriate theuser's information), particularly because the entities communicatingwith the user may be anonymous (which may include, for example, using afake, seemingly legitimate identity). Ultimately, these network andcommunication vulnerabilities put users, and, in some cases,institutions, at risk of account intrusion (e.g., misappropriation),identity theft, and other malicious use of users' sensitive information,which could also cause negative regulatory, compliance, or monetaryconsequences. This disclosure focuses on various ways of increasingnetwork security and reducing the scope and magnitude of certain presentvulnerabilities of various computer networks.

Certain embodiments of the present disclosure may provide one or moretechnical advantages. For example, by sending an alert to a remotedevice before an outgoing communication is sent, e.g., in real time, thesystem increases the likelihood of preventing a user of the remotedevice from divulging data to the compromising entity that represents apotential intrusion threat. Similarly, sending an alert regardingincoming communications, which may also occur in real time, increasesthe likelihood of preventing intrusions. Compared to an institutionsending out a general mass warning to users regarding potentialintrusion threats, for example via email or SMS, a user using a remotedevice as described herein is more likely both to notice the securityconcern pertaining to the incoming and/or outgoing communication and torefrain from sending data to the compromising entity. The effectivenessof the system in preventing communications with compromising entities isfurther increased in situations where the system sends a signal to theremote device to block the remote device from establishing an outgoingcommunication with a compromising entity. Similarly, the system may senda signal to the remote device to block or quarantine incomingcommunications from compromising entities. By increasing theeffectiveness of the intrusion protection system, digitaltelecommunication networks and the devices and hardware connected tothem become more secure.

Furthermore, by transforming data regarding compromising entities intoalerts and signals sent to the remote devices, the embodiments of thepresent disclosure may more effectively prevent intrusions into users'accounts, such as online bank accounts or credit accounts.

An additional technical advantage afforded by particular embodiments ofthe present invention is that intrusion protection can occur overcommunication channels that are more secure than standard email, SMS,MMS, Internet, etc., which may also increase the authenticity ofcommunications. For example, communications between an applicationassociated with an institution and a server (or other component of anintrusion protection system) can be more secure than other methods ofcommunication. This may allow for intrusion protection data, messages,signals, commands, etc. to be sent between components more securely. Asan additional example, communicated data may be transformed to adifferent format and/or protocol such that the communicated data is moresecure. In certain embodiments, the communications between anapplication and another component may be according to an uncommon,secure, and/or proprietary protocol, further increasing data securityand the authenticity of communications. For example, SSL (secure socketslayer) or tokenized communications may be used. Such communications alsoallow each component of the intrusion protection system to authenticatethe incoming communication, which is critical in situations whereintrusions may exist, and particularly if a compromising entity may haveremote access to a remote device. In some embodiments, directcommunication between the application and other components of anintrusion protection system may allow for communications, messages,commands, etc. to be sent to and/or from a remote device in thepossession or control of a compromising entity without the compromisingentity's knowledge and/or permission.

As yet another example advantage, certain embodiments of the presentdisclosure may also provide technical advantages to data networks byreducing the amount of network traffic and/or processing demandsrequired to operate intrusion protection systems, and more particularlyby reducing the amount of data sent by systems to remote devices. Forinstance, identifying individual communications with compromisingentities and sending alerts or signals to block only thosecommunications reduces network traffic compared to mass alerting allusers, or even all users in a certain geographic area.

Other technical advantages of the present disclosure will be readilyapparent to one skilled in the art from the following figures,descriptions, and claims. Moreover, while specific advantages have beenenumerated above, various embodiments may include all, some, or none ofthe enumerated advantages.

BRIEF DESCRIPTION OF THE EXAMPLE DRAWINGS

For a more complete understanding of the present disclosure and forfurther features and advantages thereof, reference is now made to thefollowing description taken in conjunction with the accompanying exampledrawings, in which:

FIG. 1 illustrates a block diagram of an example proactive intrusionprotection system, according to a particular embodiment;

FIG. 2 illustrates a data table comprising example data regardingcompromising entities and other information relevant to potentialintrusion threats, which may be used, for example, in the systemillustrated in FIG. 1 and/or the methods illustrated in FIGS. 3, 4, 5,and/or 6;

FIG. 3 illustrates a flowchart of an example method of proactiveintrusion protection against outgoing communications from a remotedevice, which may be used, for example, in the system illustrated inFIG. 1;

FIG. 4 illustrates a flowchart of another example method of proactiveintrusion protection against outgoing communications from a remotedevice, which may be used, for example, in the system illustrated inFIG. 1;

FIG. 5 illustrates a flowchart of an example method of proactiveintrusion protection against incoming communications to a remote device,which may be used, for example, in the system illustrated in FIG. 1; and

FIG. 6 illustrates a flowchart of another example method of proactiveintrusion protection against incoming communications to a remote device,which may be used, for example, in the system illustrated in FIG. 1.

DETAILED DESCRIPTION

Embodiments of the present disclosure and its advantages are bestunderstood by referring to FIGS. 1-6, like numerals being used for likeand corresponding parts of the various drawings.

Digital telecommunication networks and other computer networks areconfronted with numerous security vulnerabilities inherent to computernetworks. Often, communication and other networks are untrusted andvulnerable to entities seeking information associated with networkusers. These security vulnerabilities are further exacerbated when thenetworks are also used to communicate sensitive information, such asinformation regarding users' accounts with various institutions. Forexample, cellular, Internet (e.g., via WiFi), and other communicationnetworks serving remote devices (e.g., mobile devices) are untrusted andvulnerable and can be accessed and/or used directly or indirectly byentities seeking to collect and/or request a user's sensitiveinformation. In addition, the types of communications used on suchnetworks, such as SMS, email, Internet communications, and others, arealso inherently vulnerable to entities seeking to access or request auser's sensitive information. Not only are the types of communicationsvulnerable, but also users are vulnerable to incoming and outgoingcommunications using these same types of communications (e.g., telephonecalls, MMS, or SMS to or from an entity seeking to misappropriate theuser's information), particularly because the entities communicatingwith the user may be anonymous (which may include, for example, using afake, seemingly legitimate identity). Ultimately, these network andcommunication vulnerabilities put users, and, in some cases,institutions, at risk of account intrusion (e.g., misappropriation),identity theft, and other malicious use of users' sensitive information,which could also cause negative regulatory, compliance, or monetaryconsequences. This disclosure focuses on various ways of increasingnetwork security and reducing the scope and magnitude of certain presentvulnerabilities of various computer networks, particularly byimplementing proactive intrusion protection systems.

Proactive intrusion protection systems operate to protect againstintrusions in specific instances where the threat of intrusion is likelyor even certain. Instead of reactively sending out a mass message tousers' remote devices regardless of whether or not any given user hashad any contact with a suspected threat, proactive intrusion protectioninstead monitors certain communications in order to identify aparticular intrusion threat, and then acts to mitigate the intrusionthreat. For example, if a user is accesses a remote device and receivesa communication from (e.g., via SMS, MMS, telephone, Internet, email,etc.) or attempts to communicate with a compromising entity known orsuspected to be an intrusion threat, the proactive intrusion protectionsystem may identify the communication as an intrusion threat and, forexample, alert the user or block the communication.

As is applicable, the term “intrusion” as used herein may describeactual intrusions, attempted intrusions, and/or communications thatfurther an intrusion or intrusion attempt.

Example Proactive Intrusion Protection Systems

FIG. 1 illustrates a block diagram of an example proactive intrusionprotection system 100, according to a particular embodiment. System 100may include mobile device 110 (and more generally any remote device),server 130, data sources 150, compromising entities 160, and a network120. Network 120 may communicatively couple remote devices such asmobile device 110, server 130, data sources 150, compromising entities160, and/or any components contained within or controlled by suchdevices, servers, or data sources. In general, remote devices (such asmobile device 110) and remote systems (such as server 130), using datasources 150, may protect against, stop, or mitigate intrusions fromcompromising entities 160.

Example Proactive Intrusion Protection Systems—Networks

Proactive intrusion protection systems such as system 100 may comprisenetwork 120. Network 120 represents any suitable network operable tofacilitate communication between the components of system 100, such asmobile device 110, server 130, data sources 150, compromising entities160, and/or any components contained within or controlled by suchdevices. In particular embodiments, network 120 may also connect thecomponents of system 100 to any other component, system, or entity via,for example, the Internet. Network 120 may include any interconnectingsystem capable of transmitting audio, video, signals, data, messages, orany combination of the preceding. Network 120 may include all or aportion of a public switched telephone network (PSTN), a public orprivate data network, a local area network (LAN), a metropolitan areanetwork (MAN), a wide area network (WAN), a local, regional, or globalcommunication or computer network, such as the Internet, a wireline orwireless network, an enterprise intranet, or any other suitablecommunication link, including combinations thereof, operable tofacilitate communication between the components. Network 120 maycomprise multiple networks connecting some or all of the components ofsystem 100. For example one portion of network 120 may be a cellulartelephone network connecting mobile device 110 and a compromising entity160, while another portion of network 120 may be an Internet connectionbetween mobile device 110 and server 130.

Example Proactive Intrusion Protection Systems—Remote Devices

Proactive intrusion protection systems such as system 100 may compriseremote devices. In general, remote devices such as mobile device 110 mayassist in intrusion protection, such as in proactive intrusionprotection systems. In particular embodiments, proactive intrusionprotection may include preventing, stopping, and/or mitigatingintrusions. This may include protecting against instances where a remotedevice 110 is accessed or contacted by a compromising entity 160, wherethe compromising entity 160 is a possible source of intrusion. Forexample, a compromising entity 160, such as a team of intruders, maycontact mobile device 110 via SMS, telephone, or other means pretendingto be a legitimate operation but secretly seeking information that canbe used to access an account, such as a bank account, associated with auser of the mobile device. In certain instances, mobile device 110 (or auser thereof) may be the target of various intrusions, such as“phishing,” “vishing,” “pharming,” “smishing,” similar threats viasocial media, and other ways of misappropriating information. Inparticular embodiments, compromising entities 160 and/or devicescontrolled by such compromising entities 160 may seek information toaccess personal information or accounts associated with a remote devicesuch as mobile device 110 or a user of a remote device such as mobiledevice 110.

Mobile device 110 may also be remotely accessed by a compromising entity160, or, in certain situations, a compromising entity 160 may takephysical possession of mobile device 110. Once a compromising entity 160has remote or physical access to a remote device such as mobile device110, the compromising entity 160 may attempt to access personalinformation, accounts, or other property owner or associated with a userof the mobile device 110. Intrusion protection systems, particularlyproactive intrusion protection systems, seek to prevent, stop, ormitigate these and other instances of intrusions. As a possible point ofcontact with compromising entities 160, remote devices such as mobiledevice 110 may represent both vulnerable points susceptible tointrusion, as well as points from which to collect information regardingintrusions and/or protect against intrusions. In certain embodiments,proactive intrusion protection systems may alert mobile device 110 of anincoming communication 162 from a source associated with a compromisingentity 160. It other situations, proactive intrusion protection systemsmay alert mobile device 110 of an outgoing communication 168 from mobiledevice 110 to a destination associated with a compromising entity 160before such outgoing communication 168 is sent.

In other instances, proactive intrusion protection systems may preventremote devices, such as mobile devices 110, from communicating withcompromising entities 160. Furthermore, in other instances, proactiveintrusion protection systems may prevent remote devices, such as mobiledevices 110, from communicating with some or all other devices insituations where the remote device itself has become compromised and isa potential source of intrusions. This may occur, for example, if acompromising entity 160 compromises the remote device, causing theremote device to, for example, send intrusion messages that may furtheradditional intrusions to contacts stored on the remote device. In theillustrated embodiment, mobile device 110 comprises processor 112, datastorage 114, data 115, application 116, rules engine 117, alert level(also described as threshold level) 118, and alert message data 119.

In particular embodiments, mobile device 110 may communicate with othercomponents of system 100 via network 120. Mobile device 110 may includea personal computer, a workstation, a laptop, a wireless or cellulartelephone, an electronic notebook, a personal digital assistant, asmartphone, a netbook, a tablet, a slate personal computer, or any otherdevice (wireless, wireline, or otherwise) capable of receiving,processing, storing, and/or communicating information with othercomponents of 100.

Mobile device 110 may include one or more processor 112. Processor 112is generally operable to process and/or execute tasks associated withintrusion protection systems. For example, processor 112 may executeapplication 116. In particular embodiments, processor 112 may becommunicatively coupled with data storage 114, application 116, and/orother components of system 100, such as server 130. In some embodiments,processor 112 may be operable to determine a destination of an outgoingcommunication 168 requested from mobile device 110 and/or whether thedestination of the outgoing communication is associated with acompromising entity 160. In other embodiments, it may be operable todetermine a source of an incoming communication 162 and/or whether thesource is associated with a compromising entity 160. In particularembodiments, processor 112 may also determine an entity associated withthe destination or source. For example, the processor may use publicrecords or data sources 150 to determine an entity associated with thedestination or source. Processor 112 may also execute application 116.Processor 112 may comprise any suitable combination of hardware andsoftware to execute instructions and manipulate data to perform thedescribed functions for mobile device 110 and/or system 100. In someembodiments, processor 112 may include, for example, one or morecomputers, one or more central processing units (CPUs), one or moremicroprocessors, one or more applications, and/or other logic.

Mobile device 110 may include one or more data storage 114. In general,data storage 114 stores data, including, for example, application 116,rules engine 117, alert level 118, and associated data 115, includingdata regarding contacts associated with mobile device 110, dataregarding previous communications to and from mobile device 110, dataregarding attempted and current communications to and from mobile device110, data from data sources (e.g., server 130 and/or data sources 150),files, applications, and/or other data associated with mobile device110.

Examples of data storage 114 include computer memory (e.g., RandomAccess Memory (RAM) or Read Only Memory (ROM)), mass storage media(e.g., a hard disk or a redundant array independent disks (RAID)),removable storage media (e.g., a Compact Disk (CD) or a Digital VideoDisk (DVD)), database and/or network storage (e.g., a server, a networkattached storage (NAS), or a storage area network (SAN)), and/or or anyother volatile or non-volatile, non-transitory computer-readable memorydevices or components that store one or more files, lists, tables, orother arrangements of information.

In particular embodiments, data storage 114 may store application 116and associated data 115, rules engine 117, alert (threshold) level 118,and/or alert message data 119. In some embodiments, data storage 114 maystore some or all of the data contained in data storage 134, including,for example, lists of compromised devices 136, lists of contacts deemedunsafe 138, and/or other data regarding compromising entities 160compromising entities 160, as well as a list of trusted safe entities140, rules engine 142, or data table 200. In certain embodiments, datastorage 114 may store a rules engine 117 or other set of rules regardingwhen and how to (1) alert a user of intrusion risks and/or (2) block (orpause, quarantine, etc.) some or all communications to and/or frommobile device 110. As an example, the rules engine 117 may be used todictate that an alert (e.g., alert 144) and/or signal to block (e.g.,signal to block 146) will be sent (or displayed) in certain situations,such as when geographic conditions are met (e.g., the intrusions atissue are occurring in a particular geographic area), when the affectedmobile device is of a particular type or upgrade version, at particulardays and/or times, when the intrusion risk is applicable to commercialversus personal or individual users or devices, etc. In certainembodiments, data storage 114 may contain data comprising any datauseful to support the function or operation of mobile device 110 and/orintrusion protection system 100. Such data may comprise any number ofdatabases and/or data tables, such some or all of data table 200. Suchdata, as well as any other data associated with mobile device 110,including application 116, may be stored on any suitable device orcomponent capable of storing and facilitating retrieval of such data,for example, data storage 114 and/or data storage 134.

Mobile device 110 may comprise alert message data 119. In general, alertmessage data 119 is used by components of system 100 to store andretrieve information regarding alert messages. In certain embodiments,data storage 114 may comprise alert message data 119, where alertmessage data 119 comprises alert message contents and associated data.For example, alert message data 119 may comprise scripts, alert messagetext, message identifiers, etc. in the form of a database, table, orother format. Alert message data 119 may, for instance, be used as arepository of pre-formed messages that a remote device can use toquickly generate a message in response to an incoming alert. In certainembodiments, alert message data 119 may comprise a database or tablethat associates alert message data with message identifiers (where themessage identifiers may be smaller in size than the associated alertmessage data). Thus, for example, application 116 could receive an alertfrom server 130 comprising a message identifier and, by using alertmessage data 119, could locate the message associated with that messageidentifier and display it to a user. Alert message data 119 may beupdated by one or more components of system 100. In addition, alertmessage data 119 may be hosted on any component of system 100 or othercomponent connected to network 120.

Example Proactive Intrusion Protection Systems—Applications

Proactive intrusion protection systems such as system 100 may compriseapplications. Remote devices such as mobile device 110 may include oneor more application 116. Application 116 generally refers to logic,rules, algorithms, code, tables, and/or other suitable instructions forexecuting any suitable functions regarding the operation of intrusionprotection system 100. Application 116 may also be an applicationassociated with an institution, such as a banking institution, such thatapplication 116 allows a user to access and/or control his account withthe banking institution. In particular embodiments, application 116 maycommunicate with server 130 regarding communications requested by mobiledevice 110. Such communications may include telephone calls, textmessages, emails, transactions (including transactions performed onapplication 116), and/or any other communications. Application 116 maymonitor or otherwise have access to information regarding incomingcommunications 162 and outgoing communications 168 requested by a mobiledevice 110. In certain instances, application 116 may recognize that anoutgoing communication 168 has been requested on mobile device 110 (orthat mobile device 110 has received an incoming communication 162), atwhich point application 116 may collect and send information regardingthe communication (including, for example, information regarding thesource or destination of the incoming or outgoing communication) tocomponents of system 100, such as server 130. In other embodiments,application 116 may collect and analyze information regarding theincoming or outgoing communication (including, for example, informationregarding the source or destination of the incoming or outgoingcommunication).

In some embodiments, communications between application 116 and server130 may use proprietary protocols, SSL (secure sockets layer) ortokenized communications, or any other means of increasing the securityand authenticity of communications between application 116 and server130, or any other component of system 100. Furthermore, in suchembodiments, data comprising the communications between components (suchas application 116 and server 130) may be transformed from an originalform into a more secure form for transmission between components. Oncereceived, the data may be transformed from the secure form back to theoriginal form.

Additionally, in certain embodiments, application 116 may receive fromserver 130 (or other components of system 100) data regardingcompromising entities 160 and/or intrusion threats, which application116 may use to determine a source or destination of particular incoming(162) or outgoing (168) communications, determine an entity associatedwith the one or more sources or destinations, and/or determine whetherthe source or destination is associated with a compromising entity 160.In particular embodiments, application 116 may receive the dataregarding compromising entities 160 and/or intrusion threats fromcomponents of system 100 in real time and/or in batches of information.Batches may be received as part of an update schedule that may beperiodic or may be affected by the severity of intrusion threatsexisting at any particular time.

If application 116 determines that the source or destination of aparticular incoming or outgoing communication is associated with acompromising entity 160, application 116 may generate an alert to theuser and/or may block the particular incoming or outgoing communicationsto and/or from the mobile device (for example, the incomingcommunication 162 and/or outgoing communication 168).

In other embodiments, application 116 may receive from server 130 (orother components of system 100) messages and/or alerts 144 regardingpotential intrusion threats. For example, application 116 may receivefrom server 130 an alert 144 regarding an incoming communication 162 oran outgoing communication 168 requested by mobile device 110. The alert144 may be a pre-formed alert ready for display on mobile device 110 (orotherwise communicated to a user), or the alert 144 may be acommunication instructing application 116 to generate and communicate analert to a user and/or on mobile device 110. Application 116 may thendisplay the alert to a user of mobile device 110. The alert (whether,e.g., generated by application 116 or sent as alert 144 from server 130)may describe the nature of an intrusion threat, a recommended course ofaction, a contact for questions (e.g., a telephone number), and/or someof all of the information comprising data table 200. Application 116 mayalso display, as part of the alert, an option to the user to continuewith or to block the incoming or outgoing communication. Before andwhile a user selects an option, application 116 may quarantine or pausethe incoming communication 162 or outgoing communication 168.

Furthermore, in certain embodiments, the alert message (e.g., alert 144)may be customized per the specific threat (e.g., as indicated by aspecific event ID) or be generic to the type of incoming or outgoingcommunication (e.g., phone, email, SMS, and/or MMS). The alert may besent as a notification to mobile device 110 even if the user is using adifferent application than application 116, or the alert may be sentonly when the mobile device is running (or the user is accessing)application 116. The alert may also, in particular embodiments, addcontact information associated with the compromising entity 160 (e.g.,phone number, email address, screen name, etc.) and/or a source ordestination of an incoming or outgoing communication to a “deny” or“blocked contacts” list on the mobile device and/or on application 116.

In certain situations, components of system 100 may send alert messages(e.g., alert 144) updating “deny” and “blocked contacts” lists beforemobile device 110 has any actual incoming or outgoing communicationsfrom or to a particular compromising entity 160. In some embodiments,the alert may instruct the user of the general risk and/or may providethe user with an intrusion or fraud servicing phone number (or othercontact information) of one or more institutions relevant to theintrusion (e.g., a phone number or email address of the fraud departmentof the bank associated with the user's account that was the subject ofthe attempted intrusion). The user may then contact the institution tomitigate his risk, which may include opening an event ticket tied to theintrusion. By contacting the institution to report the activity, theuser may improve the system's (or institution A-N's 152-154) intrusionrisk information, analysis, and mitigation potential. In certainembodiments, the user may contact the institution via application 116,or application 116 may automatically send relevant information to theinstitution (e.g., to server 130).

In some embodiments, the components of system 100 may send and/orreceive alert messages (e.g. an alert 144 or other transmissions)comprising a message identifier (or other instructions) that identify aparticular alert message stored in alert message data 119 and/or alertmessage data 143. The message identifier may cause the particular alertmessage to be displayed on components of system 100. For example, uponreceipt of a message identifier corresponding to a particular alertmessage stored in alert message data 119, application 116 and/or mobiledevice 110 may display on application 116 and/or mobile device 110 theparticular alert message stored in alert message data 119.

In other situations, the components of system 100 may send and/orreceive alert messages (e.g. an alert 144 or other transmission)comprising an update to certain alert message data (e.g., alert messagedata 119 and/or alert message data 143). The update may compriseinformation associated with alert message data, such as scripts, alertmessage text, message identifier information, etc. For example, server130 may send to application 116 and/or mobile device 110 an alert 144comprising an update to alert message data 119 (the alert 144 may or maynot comprise other data), where the update comprises alert scriptsstored in alert message data 143. Upon receiving the update, application116 and/or mobile device 110 may update alert message data 119 with theupdated scripts, which may be used in current or future alerts displayedby application 116 and/or mobile device 110.

In still other embodiments, server 130 (or other components of system100) may send application 116 messages and/or signals to block 146certain incoming (162) and/or outgoing (168) communications to and/orfrom mobile device 110. For example, such messages and/or signals 146may block certain incoming or outgoing communications automatically, orsuch messages and/or signals 146 may instruct application 116 to blocksuch communications. In other embodiments, application 116 may generatealerts and/or signals to block incoming or outgoing communications onits own based on data accessible to application 116, such as dataregarding compromising entities 160 that may be stored on data storage114 or 134. Upon generating or receiving an alert (e.g., alert 144)and/or a signal to block (e.g., 146) incoming or outgoingcommunications, application 116 may temporarily pause, suspend,quarantine, or block certain communications until further instructionsare received from a user, server 130, a relevant institution, and/or anyother component of system 100.

Furthermore, in certain embodiments the incoming communication 162 oroutgoing communication 168 may be a transaction or transaction request,where the transaction requested is associated with an account associatedwith application 116 and/or the user of mobile device 110. For example,a transaction request for a balance transfer into or out of a bankaccount or to make a purchase may occur. The transaction request may bemade via application 116 in certain embodiments. Application 116 maysend information to server 130 or other components of system 100 todetermine if the transaction is associated with and/or initiated by acompromising entity 160. For example, the payee of a transaction, therecipient of a transaction, the number and/or amount of one or moretransactions, transaction patterns, the source of recent incomingcommunications 162 to the remote device, the destination of recentoutgoing communication 168 from the remote device, and various otherinformation regarding the transaction may be used to determine that thetransaction involves a compromising entity 160. Such information may becompared to data stored in data storage 114 or 134, for example dataregarding compromising entities 160. In certain embodiments, server 130may send to application 116 an alert 144 or signal to block 146 thetransaction. In other embodiments, application 116 may make suchdeterminations itself using data located on data storage 114, 134, orany other component of system 100. If the transaction is associatedwith, directed to, or initiated by a compromising entity 160,application 116 may generate an alert and/or signal to block therequested transaction.

In addition, in particular embodiments, application 116 may allow a userof a remote device such as mobile device 110 to set different alertlevels 118, which may also be described as threshold levels in certainembodiments. The alert levels 118 may indicate the sensitivity the userwishes application 116 to have when alerting the user. For example, theuser could indicate preferred alert levels 118 on a scale of severityranging from, for example, levels 1 through 5, where level 1 indicatesthat only very serious alerts (e.g., where the potential damage is greatand/or where greater than 80 percent of the relevant population may beaffected) are shown to the user and where level 5 indicates that all ornearly all alerts are shown to the user, regardless of severity (e.g.,the potential damage and/or the percentage of the relevant populationaffected). The preferred alert level may be stored or sent to anycomponent of system 100. Application 116 may determine the applicablealert level 118 of any given alert, or it may receive the alert level118 of any given alert (e.g., alert 144) from server 130 or any othercomponent of system 100. In other embodiments, if only a certaingeographic area is affected, application 116 may only generate ordisplay an alert if it determines that the user (or the user's account)is in the affected geographic area. Application 116 may base itsdetermination on data from server 130 or other components of system 100,on data stored in data storage 114, and/or on other components of remotedevice 110 that can obtain the physical location of the user (e.g., GPS,WiFi, IP address, social media, etc.).

Example Proactive Intrusion Protection Systems—Remote Systems

Proactive intrusion protection systems such as system 100 may compriseremote systems. In general, remote systems such as server 130 may assistin intrusion protection, such as in proactive intrusion protectionsystems. Server 130 may comprise hardware and/or software, as well aslogic, rules, algorithms, code, tables, and/or other suitableinstructions for executing any suitable functions regarding theoperation of intrusion protection system 100. Server 130 may beassociated with an institution, such as a banking institution, and/orwith application 116. In particular embodiments, server 130 maycommunicate with application 116 regarding incoming communications 162to mobile device 110 and/or outgoing communications 168 initiated bymobile device 110. Such communications may include telephone calls, textmessages, emails, transactions (including transactions performed onapplication 116), and/or any other communications. In certain instances,server 130 may receive from application 116 information regarding theincoming or outgoing communication (including, for example, informationregarding the source or destination of the incoming or outgoingcommunication). In other embodiments, server 130 may collect (e.g., frommobile device 110, application 116, and/or data sources 150) and analyzeinformation regarding the incoming or outgoing communication (including,for example, information regarding the source or destination of theincoming communication 162 or outgoing communication 168).

In some embodiments, communications between application 116 and server130 may use proprietary protocols, SSL (secure sockets layer) ortokenized communications, or any other means of increasing the securityand authenticity of communications between application 116, or any othercomponent of system 100, and server 130. Furthermore, in suchembodiments, data comprising the communications between components (suchas application 116 and server 130) may be transformed from an originalform into a more secure form for transmission between components. Oncereceived, the data may be transformed from the secure form back to theoriginal form.

Additionally, in certain embodiments, server 130 may receive fromapplication 116 (or other components of system 100, such as data sources150) data regarding compromising entities 160 and/or intrusion threats,which server 130 may use to determine one or more sources ordestinations of particular incoming (162) or outgoing (168)communications, determine an entity associated with the one or moresources or destinations, and/or determine whether the source ordestination is associated with a compromising entity 160.

If server 130 determines that the source or destination of a particularincoming or outgoing communication is associated with a compromisingentity 160, server 130 may (1) generate an alert 144 and send the alert144 to application 116 and/or a remote device such as mobile device 110and/or (2) generate a signal to block 146 the particular incoming oroutgoing communications to and/or from the mobile device (for example,incoming communication 162 and/or outgoing communication 168) and sendthe signal 146 to application 116 and/or a remote device such as mobiledevice 110.

In other embodiments, server 130 may send to application 116 (or othercomponents of system 100) messages and/or alerts 144 regarding potentialintrusion threats. For example, server 130 may send to application 116an alert 144 regarding an incoming communication 162 or an outgoingcommunication 168 requested by mobile device 110. The alert 144 may be apre-formed alert ready for display on mobile device 110 (or otherwisecommunicated to a user), or the alert 144 may be a communicationinstructing application 116 to generate and communicate an alert to auser and/or on mobile device 110. In certain embodiments, the alert(whether, e.g., generated by application 116 or sent as alert 144 fromserver 130) may describe the nature of an intrusion threat, arecommended course of action, a contact for questions (e.g., a telephonenumber), and/or some or all of the information comprising data table200. Server 130 may also instruct application 116 to display an alertand/or display an option to the user to continue with or to block theincoming or outgoing communication. Before and while a user selects anoption, alert 144 may cause application 116 to quarantine or pause theincoming communication 162 or outgoing communication 168.

Furthermore, in certain embodiments, the alert message (e.g., alert 144)may be customized per the specific threat (e.g., as indicated by aspecific event ID) or be generic to the type of incoming or outgoingcommunication (e.g., phone, email, SMS, and/or MMS). The alert may besent as a notification to mobile device 110 even if the user is using adifferent application than application 116, or the alert may be sentonly when the mobile device is running (or the user is accessing)application 116. The alert may also, in particular embodiments, addcontact information associated with the compromising entity 160 (e.g.,phone number, email address, screen name, etc.) and/or a source ordestination of an incoming or outgoing communication to a “deny” or“blocked contacts” list on the mobile device and/or on application 116.

In certain situations, components of system 100 may send alert messages(e.g., alert 144) updating “deny” and “blocked contacts” lists beforemobile device 110 has any actual incoming or outgoing communicationsfrom or to a particular compromising entity 160. In some embodiments,the alert may instruct the user of the general risk and/or may providethe user with an intrusion or fraud servicing phone number (or othercontact information) of one or more institutions relevant to theintrusion (e.g., a phone number of the fraud department of the bankassociated with the user's account that was the subject of the attemptedintrusion). The user may then contact the institution to mitigate hisrisk, which may include opening an event ticket tied to the intrusion.By contacting the institution to report the activity, the user mayimprove the system's intrusion risk information, analysis, andmitigation potential. In certain embodiments, the user may contact theinstitution via application 116, or application 116 may automaticallysend relevant information to the institution (e.g., to server 130).

In some embodiments, the components of system 100 may send and/orreceive alert messages (e.g. an alert 144 or other transmissions)comprising a message identifier (or other instructions) and/or an updateto alert message data (e.g., alert message data 119 and/or alert messagedata 143), as previously described.

In still other embodiments, server 130 (or other components of system100) may send application 116 messages and/or signals to block 146certain incoming (162) and/or outgoing (168) communications to and/orfrom mobile device 110. For example, such messages and/or signals 146may block certain incoming or outgoing communications automatically, orsuch messages and/or signals 146 may instruct application 116 to blocksuch communications. In other embodiments, server 130 may instructapplication 116 to temporarily pause, suspend, quarantine, or blockincoming or outgoing communications until further instructions arereceived from a user, server 130, a relevant institution, and/or anyother component of system 100. In particular embodiments, server 130 maysend or receive an authentication message to or from application 116that may confirm that the alert 144 and/or signal to block 146 wasreceived by a legitimate application, device, or entity.

Furthermore, in certain embodiments the incoming communication 162 oroutgoing communication 168 may be a transaction or transaction request,where the transaction requested is associated with an account associatedwith application 116 and/or the user of mobile device 110. For example,a transaction request for a balance transfer into or out of a bankaccount or to make a purchase may occur. The transaction request may bemade via application 116 in certain embodiments. Server 130 may receiveinformation regarding the requested transaction from mobile device 110,application 116, or any other component of system 100. Server 130 mayalso determine if the transaction is associated with and/or initiated bya compromising entity 160. For example, the payee of a transaction, therecipient of a transaction, the number and amount of one or moretransactions, transaction patterns, the source of recent communicationsto the remote device, and various other information regarding thetransaction may be used to determine that the transaction involves acompromising entity 160. Such information may be compared to data storedin data storage 134, for example data regarding compromising entities160. If the transaction is associated with, directed to, or initiated bya compromising entity 160, server 130 may send an alert 144 and/orsignal to block 146 the requested transaction to other components ofsystem 100. In certain embodiments, server 130 may block the requestedtransaction itself.

In particular embodiments, server 130 and/or any components thereof mayinclude a network server, any suitable remote server, a mainframe, ahost computer, a workstation, a web server, a personal computer, a fileserver, or any other suitable device operable to communicate with othercomponents in system 100 and assist with the function of server 130,such as intrusion protection. In particular embodiments, the functionsof server 130 may be performed by any suitable combination of one ormore servers or other components at one or more locations. In addition,the server may be a private server, and the server may be a virtual orphysical server. In the illustrated embodiment, server 130 comprisesprocessor 132, data storage 134, list of compromised devices 136, listof contacts deemed unsafe 138, safe entities 140, rules engine 142, anddata table 200.

Server 130 may include one or more processors 132. Processor 132 isgenerally operable to process and/or execute tasks associated withintrusion protection systems. In particular embodiments, processor 132may be communicatively coupled with data storage 134, including list ofcompromised devices 136 and list of contacts deemed unsafe 138, rulesengine 142, safe entities 140, data table 200, data sources 150, and/orother components of system 100, such as mobile device 110 and/orapplication 116. In some embodiments, processor 132 may be operable todetermine a destination of an outgoing communication 168 from mobiledevice 110 and/or whether the destination of the outgoing communicationis associated with a compromising entity 160. In other embodiments, itmay be operable to determine a source of an incoming communication 162and/or whether the source is associated with a compromising entity 160.In particular embodiments, processor 132 may also determine an entityassociated with the destination. For example, the processor may usepublic records or data sources 150 to determine an entity associatedwith the destination or source. Processor 132 may execute application116 and/or send or receive messages or other data from application 116.Processor 132 may comprise any suitable combination of hardware andsoftware to execute instructions and manipulate data to perform thedescribed functions for server 130 and/or system 100. In someembodiments, processor 132 may include, for example, one or morecomputers, one or more central processing units (CPUs), one or moremicroprocessors, one or more applications, and/or other logic.

Server 130 may include one or more data storage 134. In general, datastorage 134 stores data, including, for example, data regardingcompromising entities 160 such as lists of compromised devices 136,lists of contacts deemed unsafe 138, data regarding “safe” or “trusted”entities 140, rules engine 142, alert message data 143, data table 200,data regarding previous communications to and from server 130 and/orremote devices, data regarding attempted and current communications toand from server 130 and/or remote devices, data from data sources (e.g.,mobile device 110 and/or data sources 150), files, applications, and/orother data associated with server 130.

Examples of data storage 134 include computer memory (e.g., RandomAccess Memory (RAM) or Read Only Memory (ROM)), mass storage media(e.g., a hard disk or a redundant array independent disks (RAID)),removable storage media (e.g., a Compact Disk (CD) or a Digital VideoDisk (DVD)), database and/or network storage (e.g., a server, a networkattached storage (NAS), or a storage area network (SAN)), and/or or anyother volatile or non-volatile, non-transitory computer-readable memorydevices or components that store one or more files, lists, tables, orother arrangements of information.

In particular embodiments, data storage 134 may store a list ofcompromised devices 136 and/or a list of contacts deemed unsafe 138 andother data associated with the functions of a remote system such asserver 130 (e.g, data regarding safe entities 140, rules engine 142,alert message data 143, data table 200, etc.). In some embodiments, datastorage 134 may store some or all of the data contained in data storage114, including, for example, application 116, data 115, rules engine117, alert (threshold) level 118, and/or other data regarding remotedevices such as mobile device 110. In certain embodiments, data storage134 may store a rules engine 142 or other set of rules regarding whenand how to (1) alert a user and/or mobile device of intrusion risksand/or (2) block (or pause, quarantine, etc.) some or all communicationsto and/or from mobile device 110. As an example, the rules engine 142may be used to dictate that an alert (e.g., alert 144) and/or signal toblock (e.g., signal to block 146) will be sent (or displayed) in certainsituations, such as when geographic conditions are met (e.g., theintrusions at issue are occurring in a particular geographic area), whenthe affected mobile device is of a particular type or upgrade version,at particular days and/or times, when the intrusion risk is applicableto commercial versus personal or individual users or devices, etc. Incertain embodiments, such data comprises safe entities 140, whichcomprises information regarding entities and/or devices that are knownto be safe (e.g., are “trusted”) and are unlikely to pose an intrusionthreat. In other embodiments, data storage 134 may contain datacomprising any data useful to support the function or operation ofserver 130 and/or intrusion protection system 100. Such data maycomprise any number of databases and/or data tables, such some or all ofdata table 200. Such data, as well as any other data associated withserver 130, including any list of compromised devices 136 and/or list ofcontacts deemed unsafe 138, may be stored on any suitable device orcomponent capable of storing and facilitating retrieval of such data,for example, data storage 134 and/or data storage 114.

Server 130 may include one or more list of compromised devices 136. Ingeneral, list of compromised devices 136 comprises data associated withdevices that are known and/or suspected to be associated withcompromising entities 160 or represent actual or potential sources ofintrusion. For example, list of compromised devices 136 may includemobile devices such as phones, tablets, smartwatches, as well asservers, computers, or any other physical or virtual device that mayrepresent a threat of intrusion. In certain embodiments, list ofcompromised devices 136 may include physical and/or virtualdestinations, particular physical or virtual machines or devices,particular MAC addresses, international mobile station equipmentidentities (IMEI), or IP addresses, and/or any other additionalinformation or relevant identifiers or data related to compromiseddevices. In particular embodiments, list of compromised devices 136 maycomprise some or all of the data in data table 200. The data comprisingany list of compromised devices 136 may be in any format useful to thefunction of server 130 and/or components of system 100. List ofcompromised devices 136 may be stored on data storage 134, data storage114, or any other location useful to the function of server 130 and/orcomponents of system 100. In particular embodiments, individual devicesincluded in the list of compromised devices 136 may be associated withone or more compromising entities 160. Conversely, multiple individualdevices included in the list of compromised devices may be associatedwith a single compromising entity 160.

Server 130 may include one or more list of contacts deemed unsafe 138.In general, list of contacts deemed unsafe 138 comprises data associatedwith contacts, such as any entity, that are known and/or suspected to beassociated with compromising entities 160 or represent actual orpotential sources of intrusion. For example, list of contacts deemedunsafe 138 may include an identifier of a contact comprising orassociated with a compromising entity 160, for instance a name, screenname, address, organization name, zip code, phone number, email address,voice biometrics, geographic source or destination (e.g. a country,city, or other geographical area), and/or any other relevant identifierassociated with a contact that may represent a threat of intrusion. Inparticular embodiments, list of contacts deemed unsafe 138 may comprisesome or all of the data in data table 200. The data comprising any listof contacts deemed unsafe 138 may be in any format useful to thefunction of server 130 and/or components of system 100. List of contactsdeemed unsafe 138 may be stored on data storage 134, data storage 114,or any other location useful to the function of server 130 and/orcomponents of system 100. In particular embodiments, individual contactsincluded in the list of contacts deemed unsafe 138 may be associatedwith one or more compromising entities 160. Conversely, multipleindividual contacts included in the list of contacts deemed unsafe 138may be associated with a single compromising entity 160.

Server 130 may comprise alert message data 143. In general, alertmessage data 143 is used by components of system 100 to store andretrieve information regarding alert messages. Alert message data 143 issimilar to alert message data 119 and may exist and operate in the sameways previously described regarding alert message data 119. In certainembodiments, alert message data 143 may be used by components of system100 to update alert message data 119, or vice versa. In otherembodiments, server 130 and/or data sources 150 may update alert messagedata 143. In addition, alert message data 119 may be hosted on anycomponent of system 100 or other component connected to network 120.

Example Proactive Intrusion Protection Systems—Data Sources

Proactive intrusion protection systems such as system 100 may comprisedata sources. In general, data sources 150 may assist in intrusionprotection, such as in proactive intrusion protection systems. This mayinclude, for example, providing information to intrusion protectionsystems, such as components of system 100, to assist in proactiveintrusion protection. For example, data sources 150 may send data to beincluded in a list of compromised devices 136 or a list of contactsdeemed unsafe 138. Data sources 150 may provide any information helpfulto the function of server 130 or intrusion protection systems such assystem 100. In particular embodiments, data sources 150 may provide someor all of the data comprising data table 200. In some embodiments, theindividual data sources comprising data sources 150 may be independentof one another or part of a network of sources pooling information tocombat intrusions. In certain instances, some or all of data sources 150may update certain components of system 100 in real time and/or inbatches of information. In other embodiments, data sources 150 maycomprise remote devices, such as mobile device 110 running applicationssuch as application 116, where the remote device and/or applicationreports data regarding intrusions. In the illustrated embodiment, datasources 150 comprises institutions A-N 152-154, intelligence-sharingnetwork 156, and government source 158.

Data sources 150 may include one or more institutions A-N 152-154. Ingeneral, institutions A-N 152-154 represent any institution where usersmaintain accounts that are potential targets of intrusion. InstitutionsA-N 152-154 represent any number “N” of institutions. In particularembodiments, some or all of institutions A-N are banking institutions.In particular embodiments, institutions A-N 152-154 may monitorintrusions, users, and/or compromising entities 160. In someembodiments, institutions A-N 152-154 may analyze intrusion risks anddata for certain accounts, users, geographies, etc. Institutions A-N152-154 may communicate data related to their monitoring and analysis ofintrusions to intrusion protection systems such as components of system100 (e.g., server 130). For example, institutions A-N may provide someor all of the data comprising data table 200. In certain embodiments,some or all of the institutions comprising institutions A-N 152-154 maybe individual branches of a single common institution, such as a bank,or they may be independent institutions. In some embodiments,institutions may be associated with applications installed on remotedevices, such as application 116. For example, institution A 142 mayissue application 116, which a user of mobile device 110, who has anaccount with institution A 142, may install on mobile device 110.

Data sources 150 may include one or more intelligence-sharing network156. In general, intelligence-sharing network 156 seeks to prevent,stop, and/or mitigate intrusions by collecting and distributing dataregarding intrusions as quickly as possible. In particular embodiments,intelligence-sharing network 156 may be comprised of various members orsources that contribute information to intelligence-sharing network 156.In some embodiments, some of all of institutions A-N may contribute toor maintain intelligence-sharing network 156. In particular embodiments,intelligence-sharing network 156 may monitor intrusions, users, and/orcompromising entities 160. In some embodiments, intelligence-sharingnetwork 156 may analyze intrusion risks and data for certain accounts,users, geographies, etc. Intelligence-sharing network 156 maycommunicate data related to its monitoring and analysis of intrusions tointrusion protection systems such as components of system 100 (e.g.,server 130). For example, intelligence-sharing network 156 may providesome or all of the data comprising data table 200.

Data sources 150 may include one or more government source 158. Ingeneral, government source 146 is a government-controlled source thatcontains information helpful to preventing, stopping, and/or mitigatingintrusions by collecting and distributing data regarding intrusions. Inparticular embodiments, government source 158 may be comprised ofvarious government programs, agencies, departments, etc. In someembodiments, government source 158 may monitor intrusions and/orcompromising entities 160. In other embodiments, government source 158may analyze intrusion risks and data for certain accounts, industries,geographies, etc. Government source 158 may communicate data related toits monitoring and analysis of intrusions to intrusion protectionsystems such as components of system 100 (e.g., server 130). Forexample, government source 158 may provide some or all of the datacomprising data table 200.

Example Proactive Intrusion Protection Systems—Compromising Entities andAssociated Communications

Proactive intrusion protection systems such as system 100 may protectagainst various compromising entities. In general compromising entities160 represent any number of entities that pose an actual or potentialintrusion threat, such as persons, organizations, countries,governments, computer viruses, programs, etc. In certain embodiments,compromising entities 160 may be devices associated with one or morecompromising entities, for example, a personal computer, a workstation,a laptop, a wireless or cellular telephone, an electronic notebook, apersonal digital assistant, a smartphone, a netbook, a tablet, a slatepersonal computer, a server, a network or any other device (wireless,wireline, or otherwise) capable of receiving, processing, storing,and/or communicating information with other components of 100. Inparticular embodiments, a compromising entity 160 may represent a sourceof an incoming communication 162 to a remote device, e.g., mobile device110. In other embodiments, a compromising entity 160 may represent adestination of an outgoing communication 168 from a remote device, e.g.,mobile device 110. In the illustrated example embodiment of system 100,compromising entities may initiate (be the source of) an incomingcommunication 162 to mobile device 110 and/or receive (be thedestination of) an outgoing communication 168.

In general, incoming communication 162 is any type of communication,including communications originating from a compromising entity 160,that is directed toward a remote device (e.g., mobile device 110). Incertain embodiments, incoming communication 162 may be a telephone call,SMS, MMS, email, Internet server request or response, transaction,transaction request, electronic data packets, or any other type ofcommunication. In particular embodiments, incoming communication 162represents an intrusion threat and/or furthers an actual or attemptedintrusion associated with a compromising entity 160. In the illustratedembodiment, incoming communication 162 comprises incoming communicationinformation 164 and source information 166.

In general, incoming communication information 164 comprises informationrelated to incoming communication 162. In particular embodiments,incoming communication information 164 may comprise informationregarding the type of communication, the network being used, the timethe communication was initiated and/or arrived, the status of thecommunication, the technical specifications of the communication,metadata, and/or any other information related to incoming communication162. In some embodiments, incoming communication information 164 maycomprise source information 166.

In general, source information 166 comprises information about thesource of incoming communication 162. In particular embodiments, sourceinformation 166 may comprise information regarding a compromising entity160, where the compromising entity 160 represents the source of incomingcommunication 162. In some embodiments, source information 166 maycomprise the name, IP address, address, telephone number, port number,geographic location, or any other information regarding the source ofincoming communication 162 (e.g., a compromising entity 160). Sourceinformation 166 may also comprise, or be contained within, metadata suchas header information in data packets that comprise incomingcommunication 162. Such header information may be extracted, analyzed,transformed, or otherwise used by components of system 100, such asmobile device 110 (including application 116) and server 130, todetermine the source of an incoming communication 162. In particularembodiments, components of system 100, such as mobile device 110 and/orsystem 130 may use source information 166 to determine if the entitythat originated incoming communication 162 is associated with acompromising entity 160.

In general, outgoing communication 168 is any type of communication,including communications originating from a remote device (e.g., mobiledevice 110) that is directed toward a compromising entity. In certainembodiments, outgoing communication 168 may be a telephone call, SMS,MMS, email, Internet server request or response, transaction,transaction request, electronic data packets, or any other type ofcommunication. In particular embodiments, outgoing communication 168represents an intrusion threat and/or furthers an actual or attemptedintrusion associated with a compromising entity 160. In the illustratedembodiment, outgoing communication 168 comprises outgoing communicationinformation 170 and destination information 172.

In general, outgoing communication information 170 comprises informationrelated to outgoing communication 168. In particular embodiments,outgoing communication information 170 may comprise informationregarding the type of communication, the network being used, the timethe communication was initiated and/or arrived, the status of thecommunication, the technical specifications of the communication,metadata, and/or any other information related to outgoing communication168. In some embodiments, outgoing communication information 170 maycomprise destination information 172.

In general, destination information 172 comprises information about thedestination of outgoing communication 168. In particular embodiments,destination information 172 may comprise information regarding acompromising entity 160, where the compromising entity 160 representsthe destination of outgoing communication 168. In some embodiments,destination information 172 may comprise the name, IP address, address,telephone number, port number, geographic location, or any otherinformation regarding the destination of outgoing communication 168(e.g., a compromising entity 160). Destination information 172 may alsocomprise, or be contained within, metadata such as header information indata packets that comprise outgoing communication 170. Such headerinformation may be used by components of system 100, such as mobiledevice 110 (including application 116) and server 130, to determine thedestination of an outgoing communication 168. In particular embodiments,components of system 100, such as mobile device 110 and/or system 130may use destination information 172 to determine if the entity thatoriginated outgoing communication 168 is associated with a compromisingentity 160.

A component of system 100 may include one or more of an interface,logic, memory, and/or other suitable element. An interface receivesinput, sends output, processes the input and/or output and/or performsother suitable operations. An interface may comprise hardware and/orsoftware. Logic performs the operation of the component, for example,logic executes instructions to generate output from input. Logic mayinclude hardware, software, and/or other logic. Logic may be encoded inone or more tangible media, such as a computer-readable medium or anyother suitable tangible medium, and may perform operations when executedby a computer. Certain logic, such as a processor, may manage theoperation of a component. Examples of a processor include one or morecomputers, one or more microprocessors, one or more applications, and/orother logic.

Modifications, additions, or omissions may be made to the systemsdescribed herein without departing from the scope of the disclosure. Forexample, system 100 may include any number remote devices (such asmobile devices 110), networks 120, server 130, data sources 150, and/orcompromising entities 160. Particular components may be integrated orseparated. Although components of system 100 are illustrated as separatecomponents in FIG. 1, in some embodiments, components of system 100 mayshare one or more components or be further separated. In particularembodiments, components of system 100 may be implemented on virtualmachines. Moreover, the operations may be performed by more, fewer, orother components and in different configurations. Additionally, anyoperations performed by system 100, such as determinations of whetherthe source or destination of an incoming or outgoing communication isassociated with a compromising entity 160, may be performed using anysuitable logic comprising software, hardware, and/or other logic. Asused in this document, “each” refers to each member of a set or eachmember of a subset of a set.

Example Data Table Used by Proactive Intrusion Protection Systems

FIG. 2 illustrates a data table 200 comprising example data regardingcompromising entities 160 and other information relevant to potentialintrusion threats, according to a particular embodiment. In certainembodiments, some or all of data table 200, or some of all of the datacontained therein, may be used by proactive intrusion protectionsystems, such as by components of system 100 of FIG. 1 and/or in stepsof methods 300, 400, 500, and/or 600 illustrated in FIGS. 3-6.

In general, data table 200 may assist in performing proactive intrusionprotection and may be used in intrusion protection systems. In certainembodiments, data table 200 (or any data therein) may be used toidentify compromising entities (such as compromising entities 160) orother sources of intrusions. In other embodiments, data table 200 (orany data therein) may be used to confirm that a particular source ordestination of an incoming communication 162 or outgoing communication168 is or is not a compromising entity 160 or device operated orcontrolled by a compromising entity 160. In some example embodiments,data table 200 (or any data therein) may be used by server 130 todetermine whether the source or destination of an incoming communicationor an outgoing communication requested by mobile device 110 isassociated with a compromising entity 160. In other embodiments, datatable 200 (or any data therein) may be used by application 116 todetermine whether the source or destination of an incoming or outgoingcommunication to or from mobile device 110 is associated with acompromising entity 160. In some embodiments, data table 200 and/or asubset of the data contained therein may be communicated directly orindirectly between an application associated with a remote device (e.g.,application 116 on mobile device 110) and a component associated with anintrusion protection system, such as server 130. Certain data comprisingdata table 200 may also be communicated between data sources 150, server130, mobile device 110, and/or application 116.

In particular embodiments, data table 200 may comprise data columns orrows such as date 210, event ID 212, entity identifier 214, location216, and/or additional information 220. Such data rows and columns maycomprise data associated with the name of the row or column. Forexample, the date 210 column may comprise dates that certain intrusionsoccurred or were reported or logged. Furthermore, the event ID 212column may comprise an identifier (e.g. a number, symbol, or any otheridentifier) of various intrusion events and/or compromising entities.The entity identifier 214 column may comprise identifying informationassociated with compromising entities 160 or devices, such as phonenumbers, names, email addresses, addresses, zip code, domain names,aliases, voice biometrics, international mobile station equipmentidentities (IMEI), IP addresses, etc. As another example, the location216 column may comprise locations associated with certain intrusions,compromising entities 160, actual or potential intrusion victims, and/orthe geographic area that may be affected by, or at risk of, certainintrusions. Location 216 column may contain any geographic location orarea anywhere in the world. The additional information 220 column maycompromise any additional information useful to an intrusion protectionsystem. For example, the additional information 220 column may comprisea description of certain intrusions, including potential threats, and/ora description of the compromising entity 160. In certain embodiments,the additional information 220 column may comprise tactics used orreportedly used by compromising entities 160 and/or devices, the statusof any response, the nature of any response, and/or any recommendationsto users, devices, or organizations regarding combating a compromisingentities 160 and/or intrusions.

The columns shown in data table 200 are exemplary and not exhaustive. Insome embodiments, data table 200 may comprise data such as dates, eventIDs or names, entity identifiers, physical and/or virtual destinations,particular physical or virtual machines or devices, particular MACaddresses, international mobile station equipment identities (IMEI), orIP addresses, and/or any other additional information or relevantidentifiers or data. In example embodiments, the data displayed in datatable 200 may comprise an identifier of an entity associated with asource or destination of an incoming or outgoing communication and/or acompromising entity 160, for instance a name, screen name, address,organization name, zip code, phone number, voice biometrics, geographicsource or destination (e.g., a country, city, or other geographicalarea), and/or any other relevant identifier. Any such data andinformation may be contained in appropriate columns or rows, or in anyother format useful to an intrusion protection system. Additionally, oneof skill in the art will recognize that the inclusion of other data andinformation is possible without departing from the scope of the presentdisclosure.

Example Proactive Intrusion Protection Methods

FIG. 3 illustrates a flowchart of an example method 300 of proactiveintrusion protection against outgoing communications 168 from a remotedevice (e.g., mobile device 110), according to a particular embodiment.In certain embodiments, some or all of the steps of method 300 may beperformed by components of system 100 illustrated in FIG. 1 (forexample, server 130 and/or application 116). Some or all of the steps ofmethod 300 may be used in conjunction with some or all of the steps ofmethods 400, 500, and/or 600.

Method 300 begins at step 310. At step 310, data is stored thatidentifies a plurality of compromising entities 160 (e.g., list ofcompromised devices 136 and/or list of contacts deemed unsafe 138). Asystem, for example components of system 100 (such as server 130), mayperform this step. In some embodiments, the data may comprise outgoingcommunication information 170 and/or destination information 170. Incertain embodiments, the data may be received from data sources 150. Insome embodiments, the data may comprise some or all of the datacomprising data table 200. The data may comprise a phone number,physical and/or virtual destination, a particular physical or virtualmachine or device, a particular MAC address, international mobilestation equipment identities (IMEI), or IP address, and/or any otherrelevant identifier. In example embodiments, the data may comprise anidentifier of an entity associated with the destination, for instance aname, screen name, address, organization name, zip code, phone number,voice biometrics, geographic source or destination (e.g. a country,city, or other geographical area), and/or any other relevant identifier.

At step 312, information is received regarding a pending outgoingcommunication (e.g., outgoing communication 168). In certainembodiments, the information regarding the outgoing communication maycomprise a destination of the outgoing communication. In particularembodiments, the information may comprise outgoing communicationinformation 170 and/or destination information 172. The information maybe received from an application (e.g., application 116) associated witha remote device (e.g., mobile device 110) and/or with an intrusionprotection system, which may include, for example, components of system100. In particular embodiments, the information may be in electronicform. The electronic information may be in the form of a proprietaryprotocol associated with the application and/or the intrusion protectionsystem. The electronic information may be received (e.g., from theapplication) in a secure manner, such that, for example, other users anddevices connected to network 120 cannot access the information (or wouldhave difficulty accessing the information). In some embodiments, theinformation may be received by an institution associated with theapplication and/or by an intrusion protection system associated with theapplication and/or institution. In certain embodiments, the informationmay be received by a server, such as server 130, or to some othercomponent of an intrusion protection system.

At step 314, a destination of the outgoing communication (e.g., outgoingcommunication 168) is determined. In some embodiments, the destinationof the outgoing communication may be determined, based at least in part,on the information received regarding a pending outgoing communication(e.g., outgoing communication information 170 and/or destinationinformation 172). Such information may be received, for example, from anapplication such as application 116 on a remote device such as mobiledevice 110. In certain embodiments, the destination of the outgoingcommunication may comprise a phone number, physical and/or virtualdestination, a particular physical or virtual machine or device, aparticular MAC address, international mobile station equipmentidentities (IMEI), or IP address, and/or any other relevant identifier.In some embodiments, the destination may comprise an identifier of anentity associated with the destination, for instance a name, screenname, address, organization name, zip code, phone number, voicebiometrics, geographic source or destination (e.g. a country, city, orother geographical area), and/or any other relevant identifier.

At step 316, an entity associated with the destination is determined. Insome embodiments, this determination may be performed by a processorassociated with an intrusion protection system, for example componentsof system 100 (e.g., processor 132, processor 112, and/or application116). In certain embodiments, the entity associated with the destinationof the outgoing communication may be determined by comparing thedetermined destination (or data regarding the destination) with dataidentifying any of the plurality of compromising entities (e.g.,compromising entities 160). For example, data regarding the destination(e.g., outgoing communication information 170, destination information172, and/or information regarding contacts stored on mobile device 110)contained in data storage 134, 114 and/or from data sources 150 may becompared with a list of compromised devices 136 and/or a list ofcontacts deemed unsafe 138, and/or any other data associated withcompromising entities (e.g., data from data sources 150 and/or datatable 200). An entity associated with the destination may be determinedby analyzing data for an association or match between the destinationand data associated with a compromising entity 160. In otherembodiments, an entity associated with the destination may be determinedby analyzing data for an association or match between the destinationand data associated with a non-compromising or “safe” or “trusted”entity (e.g., safe entities 140).

In particular embodiments, the entity may be determined by accessing,comparing, and/or transforming data present on the remote device. Forexample, a list of contacts, email addresses, phone numbers, or anyother data stored on a remote device, such as data storage 114 of mobiledevice 110 may be used to determine the entity associated with thedestination. Outgoing communication information 170 and/or destinationinformation 172 may be used in certain circumstances. In otherembodiments, other data stored by or on components of the intrusionprotection system may be used to determine the entity associated withthe destination. For example, data storage 134 and/or data storage 114may also have data corresponding to various entities that are notnecessarily compromised or compromising. For example, data storage 134and/or data storage 114 may comprise “safe lists” 140 (also known as“trusted lists”), which may also contain other information indicatingthat particular entities and/or destinations are not a threat.

At step 318, it is determined whether the entity associated with thedestination matches, or is associated with, one of the plurality ofcompromising entities (e.g., compromising entities 160). If thedestination does not match, or show an association with, one of theplurality of compromising entities, then method 300 continues to step320. If the destination does match, or is associated with, one of theplurality of compromising entities, then method 300 continues to step322. In certain embodiments, the determination of step 318 may beperformed by components of an intrusion protection system, such assystem 100, and as a further example, processors 132, 112 and/orapplication 116.

At step 320, a message is sent indicating that the outgoingcommunication (e.g., outgoing communication 168) may proceed. In certainembodiments, the message may be sent to an application associated withthe intrusion protection system (e.g., application 116), which may berunning and/or located on remote device (e.g., mobile device 110). Insome embodiments, the message may comprise, be sent with, or cause analert or other notification. For example, the message may be sent withan alert (e.g. alert 144) to an application on a remote device. Inparticular embodiments, the outgoing communication proceeds if nomessage to the contrary is sent or if the remote device is notinstructed to block the outgoing communication (or otherwise pause,suspend, quarantine, or hold the communication) after a certain periodof time. The period of time, or delay, may be set by components of theintrusion protection system, such as components of system 100. Forexample, server 130 may receive instructions regarding the period oftime from application 116, from a user interacting with application 116.As another example, server 130 may use a rules engine 142 or othersettings to determine the period of time.

At step 322, it is determined whether to send a message comprising orcausing (1) an alert (e.g. alert 144) or (2) a signal to block (e.g.,signal to block 146) the outgoing communication. If it is determinedthat an alert will be sent, method 300 continues to step 324. If it isdetermined that a signal to block the outgoing communication will besent, method 300 continues to step 326. In certain embodiments, it maybe determined that the message will comprise a signal to block othercommunications in addition to, or instead of, the outgoingcommunication. In some embodiments, the message may instruct theapplication to create and/or display an alert. In some embodiments, themessage may instruct the application to create and/or transmit a signalto block the outgoing communication or any other communication.Additionally, the determination of step 322 may be made by components ofan intrusion protection system, such as components system 100. Forexample, processors 132 and 112, and/or application 116, may determinewhether to send or propagate an alert (e.g., alert 144) or blockingmessage (e.g., signal to block 146), based on, for example, a rulesengine 142 or other criteria stored on a component associated with theintrusion protection system (e.g., data storage 114, data storage 134,and/or data sources 150). As an example, the rules engine 142 may beused to dictate that an alert and/or signal to block will be sent incertain situations, such as when geographic conditions are met (e.g.,the intrusions at issue are occurring in a particular geographic area),when the affected mobile device is of a particular type or upgradeversion, at particular days and/or times, when the intrusion risk isapplicable to commercial versus personal or individual users or devices,etc.

At step 324, a message comprising an alert (e.g., alert 144) is sent. Inparticular embodiments, the alert is sent before the outgoingcommunication is sent. In certain embodiments, the alert comprises datasufficient to inform a remote device (e.g., mobile device 110) and/or anapplication associated with the remote device (e.g., application 116)that the destination of the outgoing communication matches acompromising entity (e.g., compromising entity 160). In exampleembodiments, the alert may be configured to cause the remote deviceand/or the application associated with the remote device to display thealert on the remote device or another device. In further embodiments,the alert may be configured to be displayed to the user of the remotedevice and/or the application. In other embodiments, the alert may beconfigured to display certain information (or cause the application todisplay certain information), such as some or all of the informationcontained in data table 200 and/or that the destination of the outgoingcommunication matches a compromising entity (e.g., compromising entity160). The alert may be configured to give the user the option to blocksome or all communication with any compromising entity associated withthe alert. The alert may further be configured to allow the user to havethe option to terminate the outgoing communication. In particularembodiments, the alert may be configured to cause the application and/orremote device to pause, suspend, quarantine, or otherwise hold theoutgoing communication until or unless the user indicates that theoutgoing communication should proceed.

At step 326, a message comprising a signal (e.g., signal to block 146)is sent that blocks the outgoing communication or causes the outgoingcommunication (e.g., outgoing communication 168) to be blocked. Incertain embodiments, the signal may be configured to cause theapplication to block the outgoing communication. In particularembodiments, the signal itself may be configured to disable or otherwiseblock the outgoing communication. The signal may also be configured toblock, or cause to be blocked, communications other than just theoutgoing communication, for example, every communication from theapplication (e.g., application 116) or the remote device running theapplication (e.g., mobile device 110). This may happen, for example, ifthe remote device is physically obtained or remotely controlled by acompromising entity (e.g., compromising entity 160). The signal may beconfigured to block on such a larger-scale, for example, if it isdetermined that an unauthorized user (such as a compromising entity 160)has accessed the application and/or the remote device running theapplication. In such instances, the signal may be configured to blockall communications to and/or from the remote device. In addition, thesignal may be configured to limit features of the remote device (e.g.,texting, telephone, email, certain applications, etc. may be disabled,or information may only be sent to existing contacts present on theremote device, not contacts entered after the signal is sent). Thesignal may also be configured to track the remote device, for examplevia phone number, IP or MAC address, IMEI, etc. Once the remote device,now a compromised device itself, is tracked, server 130 and/or othercomponents of intrusion protection system 100 may remove its ability toaccess networks associated with certain institutions (e.g., a bankassociated with intrusion protection system 100). As an additionalexample, a user may request a blocking signal be sent to the remotedevice, for example if the user misplaces his remote device or if hewants to prevent minors from sending/receiving money from unknownsources. In such instances, the blocking signal may, for example,prevent communications (e.g. incoming communications 162 and/or outgoingcommunications 168) constituting some or all monetary transactions, butnot necessarily standard telephone calls, email, social media usage,etc.

In certain embodiments, the signal may be configured to require, orcause the application or device to require, a user to enter a passcodeor otherwise verify his identity (to the application, a device runningthe application, and/or an institution associated with the application)before some or all communications are unblocked. In particularembodiments, an alert (e.g., alert 144), such as the types of alertsdescribed in step 324, may accompany the signal to block (e.g. signal toblock 146) any communications. In certain situations, any blockingsignal may be part of or accompany any alert.

In particular embodiments of method 300, a user, a system, and/orcomponent of a system, such as system 100, may perform all steps, anystep, or any part of a step. In addition, a user, system, and/orcomponent of a system may cause an application to perform all steps, anystep, or any part of a step. Some, all, or part of the steps of method300 may be used in conjunction with some, all, or part of the steps ofmethods 400, 500, and/or 600. In certain embodiments of method 300, aproactive intrusion protection process could comprise some or all stepsof method 300, either in the order and arrangement described or not. Inparticular embodiments of method 300, some or all steps of method 300may be partially or fully applicable to both outgoing communications(where the destination may be determined to be associated with acompromising entity) and incoming communications (where the source maybe determined to be associated with a compromising entity).

The steps of method 300 are given as example combinations of steps forproactive intrusion protection, including example steps of executingproactive intrusion protection. Some of the steps may be performed in adifferent order, omitted, or repeated where appropriate. Additionally,one of skill in the art will recognize other combinations of steps,including additional steps, are possible without departing from thescope of the present disclosure.

FIG. 4 illustrates a flowchart of another example method 400 ofproactive intrusion protection against outgoing communications 168 froma remote device (e.g., mobile device 110), according to a particularembodiment. In certain embodiments, some or all of the steps of method400 may be performed by components of system 100 illustrated in FIG. 1(for example, application 116 and/or server 130). Some or all of thesteps of method 400 may be used in conjunction with some or all of thesteps of methods 300, 500, and/or 600.

Method 400 begins at step 410. At step 410, an outgoing communication(e.g., outgoing communication 168) is initiated such that the outgoingcommunication is pending. The outgoing communication may be any type ofelectronic communication, including, for example, a telephone call, SMS,MMS, email, interaction with a web page on the Internet, communicationvia a proprietary protocol or service (e.g., a message specific to aparticular application), a transaction or transaction request, etc. Inparticular embodiments, a user may initiate the outgoing communicationon his remote device, such as mobile device 110. In further embodiments,the outgoing communication may be initiated over an application (forexample, application 116) associated with an intrusion protectionsystem, such as components of system 100. In other embodiments, theoutgoing communication may be initiated on a remote device running anapplication (for example, application 116) associated with an intrusionprotection system.

At step 412, information regarding the outgoing communication (e.g.,outgoing communication 168), comprising a destination of the outgoingcommunication, is sent via an application. In particular embodiments,the information may comprise outgoing communication information 170and/or destination information 172. The information may be in electronicform. The electronic information may be in the form of a proprietaryprotocol associated with the application and/or the intrusion protectionsystem. The electronic information may be sent via the application in asecure manner, such that, for example, some or all of any otherapplications on a remote device (e.g., mobile device 110) running theapplication cannot access the information (or would have difficultyaccessing the information). In some embodiments, the information may besent to an institution associated with the application and/or tocomponents of an intrusion protection system associated with theapplication and/or institution. In certain embodiments, the informationmay be sent to a server, such as server 130, or to some other componentof an intrusion protection system.

In some embodiments, the destination of the outgoing communication maycomprise a phone number, physical and/or virtual destination, aparticular physical or virtual machine or device, a particular MACaddress, international mobile station equipment identities (IMEI), or IPaddress, and/or any other relevant identifier. In some embodiments, thedestination may comprise an identifier of an entity associated with thedestination, for instance a name, screen name, address, organizationname, zip code, phone number, voice biometrics, geographic source ordestination (e.g. a country, city, or other geographical area), and/orany other relevant identifier.

At step 414, a message regarding the outgoing communication is receivedvia the application. In particular embodiments, the message may be anelectronic message. The electronic message may be in the form of aproprietary protocol associated with the application and/or theintrusion protection system. The electronic message may be received viathe application in a secure manner, such that, for example, some or allof any other applications on a remote device (e.g., mobile device 110)running the application cannot access the message (or would havedifficulty accessing the message). In some embodiments, the message maybe received from an institution associated with the application and/orfrom a component of an intrusion protection system associated with theapplication. In certain embodiments, the message may be received from aserver, such as server 130, or from some other component of an intrusionprotection system.

At step 416, it is determined whether the message indicates that theoutgoing communication (e.g., outgoing communication 168) may proceed.If it is determined that the outgoing communication may proceed, method400 continues to step 418. If it is determined that the outgoingcommunication may not proceed, method 400 continues to step 420. Incertain embodiments, the application analyzes the message to determinewhether or not the outgoing communication may proceed. In certainembodiments, the determination of step 416 may be performed bycomponents of an intrusion protection system, such as system 100, and asa further example, processors 132, 112 and/or application 116.

At step 418, the outgoing communication (e.g. outgoing communication168) proceeds. In certain embodiments, a user of the application may benotified that the outgoing communication may proceed. In someembodiments, the outgoing communication proceeds if no message to thecontrary is received or if the remote device is not instructed to blockthe outgoing communication (or otherwise pause, suspend, quarantine, orhold the communication) after a certain period of time. The period oftime may be set by the user and/or the application in certainembodiments. For example, the period of time, or delay, may be set bycomponents of the intrusion protection system, such as components ofsystem 100. For example, application 116 may receive instructionsregarding the period of time from server 130 or from a user interactingwith application 116. As another example, application 116 may use arules engine 117 or other settings to determine the period of time.

At step 420, it is determined whether the message is an alert (e.g.,alert 144) or a signal to block (e.g., signal to block 146) the outgoingcommunication. If it is determined that the message is an alert, method400 continues to step 422. If it is determined that the message is asignal to block the outgoing communication, method 400 continues to step424. In certain embodiments, the message may be a signal to block othercommunications in addition to, or instead of, the outgoingcommunication. In some embodiments, the message may instruct theapplication to create and/or display an alert. In some embodiments, themessage may instruct the application to create and/or transmit a signalto block the outgoing communication or any other communication.Additionally, the determination of step 420 may be made by components ofan intrusion protection system, such as components system 100. Forexample, processors 132 and 112, and/or application 116, may determinewhether to send or propagate an alert or blocking message, based on, forexample, a rules engines 117 and 142 or other criteria stored on acomponent associated with the intrusion protection system (e.g., datastorage 114, data storage 134, and/or data sources 150). As an example,the rules engine 117 may be used to dictate that an alert and/or signalto block will be sent in certain situations, such as when geographicconditions are met (e.g., the intrusions at issue are occurring in aparticular geographic area), when the affected mobile device is of aparticular type or upgrade version, at particular days and/or times,when the intrusion risk is applicable to commercial versus personal orindividual users or devices, etc.

At step 422, the alert is displayed. In some circumstances, the alertmay be alert 144 and/or may be generated by an application associatedwith a remote device (e.g., application 116). In particular embodiments,the alert is displayed on a remote device running the application. Insome example embodiments, the alert may be displayed and/or receivedbefore the outgoing communication is sent. In further embodiments, thealert may be displayed to the user of the remote device and/or theapplication. In other embodiments, the alert may display certaininformation, such as some or all of the information contained in datatable 200 and/or that the destination of the outgoing communication(e.g., outgoing communication 168) matches a compromising entity (e.g.,compromising entity 160). The user may also have the option to blocksome or all communication with any compromising entity associated withthe alert. The user may also have the option to terminate the outgoingcommunication. In particular embodiments, the alert, or the applicationin response to receiving the alert, may pause, suspend, quarantine, orotherwise hold the outgoing communication until or unless the userindicates that the outgoing communication should proceed.

At step 424, the outgoing communication (e.g., outgoing communication168) is blocked. In certain embodiments, the application may block theoutgoing communication, which may occur in response to receiving thesignal to block (e.g., signal to block 146). In particular embodiments,the signal itself may be configured to disable or otherwise block theoutgoing communication. The signal may also be configured to block, orcause to be blocked, communications other than just the outgoingcommunication, for example, every communication from the application(e.g., application 116) or the remote device running the application(e.g., mobile device 110). This may happen, for example, if the remotedevice is physically obtained or remotely controlled by a compromisingentity (e.g., compromising entity 160). The signal may be configured toblock on such a larger-scale, for example, if it is determined that anunauthorized user (such as a compromising entity 160) has accessed theapplication and/or the remote device running the application. In suchinstances, the signal may be configured to block all communications toand/or from the remote device. In addition, the signal may be configuredto limit features of the remote device (e.g., texting, telephone, email,certain applications, etc. may be disabled, or information may only besent to existing contacts present on the remote device, not contactsentered after the signal is sent). The signal may also be configured totrack the remote device, for example via phone number, IP or MACaddress, IMEI, etc. Once the remote device, now a compromised deviceitself, is tracked, server 130 and/or other components of intrusionprotection system 100 may remove its ability to access networksassociated with certain institutions (e.g., a bank associated withintrusion protection system 100). As an additional example, a user mayrequest a blocking signal be sent to the remote device, for example ifthe user misplaces his remote device or if he wants to prevent minorsfrom sending/receiving money from unknown sources. In such instances,the blocking signal may, for example, prevent communications (e.g.incoming communications 162 and/or outgoing communications 168)constituting some or all monetary transactions, but not necessarilystandard telephone calls, email, social media usage, etc.

In certain embodiments, a user may need to enter a passcode or otherwiseverify his identity (to the application, a device running theapplication, and/or an institution associated with the application)before some or all communications are unblocked. In particularembodiments, an alert (e.g., alert 144), such as the types of alertsdescribed in step 422, may accompany the signal to block (e.g., 146) anycommunications. In certain situations, any blocking signal may be partof or accompany any alert.

In particular embodiments of method 400, a user, a system, and/orcomponent of a system, such as system 100, may perform all steps, anystep, or any part of a step. In addition, a user, system, and/orcomponent of a system may cause an application to perform all steps, anystep, or any part of a step. Some, all, or part of the steps of method400 may be used in conjunction with some, all, or part of the steps ofmethods 300, 500, and/or 600. In certain embodiments of method 400, aproactive intrusion protection process could comprise some or all stepsof method 400, either in the order and arrangement described or not. Inparticular embodiments of method 400, some or all steps of method 400may be partially or fully applicable to both outgoing communications(where the destination may be determined to be associated with acompromising entity) and incoming communications (where the source maybe determined to be associated with a compromising entity).

The steps of method 400 are given as example combinations of steps forproactive intrusion protection, including example steps of executingproactive intrusion protection. Some of the steps may be performed in adifferent order, omitted, or repeated where appropriate. Additionally,one of skill in the art will recognize other combinations of steps,including additional steps, are possible without departing from thescope of the present disclosure.

FIG. 5 illustrates a flowchart of an example method 500 of proactiveintrusion protection against incoming communications 162 from a remotedevice (e.g., mobile device 110), according to a particular embodiment.In certain embodiments, some or all of the steps of method 500 may beperformed by components of system 100 illustrated in FIG. 1 (forexample, server 130 and/or application 116). Some or all of the steps ofmethod 500 may be used in conjunction with some or all of the steps ofmethods 300, 400, and/or 600.

Method 500 begins at step 510. At step 510, data is stored thatidentifies a plurality of compromising entities 160 (e.g., list ofcompromised devices 136 and/or list of contacts deemed unsafe 138). Step510 is analogous to step 310 of method 300. In certain embodiments, thedata may comprise incoming communication information 164 and/or sourceinformation 166.

At step 512, information is received regarding an incoming communication(e.g., incoming communication 162). Step 512 is analogous to step 312,but focuses on incoming communications and/or sources of such incomingcommunications as opposed to outgoing communications and/or destinationsof such outgoing communications. In particular embodiments, theinformation may comprise incoming communication information 164 and/orsource information 166.

At step 514, a source of the incoming communication (e.g., incomingcommunication 162) is determined. Step 514 is analogous to step 314, butfocuses on incoming communications and/or sources of such incomingcommunications as opposed to outgoing communications and/or destinationsof such outgoing communications. In some embodiments, the source may bedetermined, based at least in part, on the information receivedregarding an incoming communication (e.g., incoming communicationinformation 164 and/or source information 166).

At step 516, an entity associated with the source is determined. Step516 is analogous to step 316, but focuses on incoming communicationsand/or sources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications.Incoming communication information 164 and/or source information 166 maybe used to determine the source and/or an entity associated with thesource. For example, data regarding the source (e.g., incomingcommunication information 164, source information 166, and/orinformation regarding contacts stored on mobile device 110) contained indata storage 134, 114 and/or from data sources 150 may be compared witha list of compromised devices 136 and/or a list of contacts deemedunsafe 138, and/or any other data associated with compromising entities(e.g., data from data sources 150 and/or data table 200).

At step 518, it is determined whether the entity associated with thesource matches, or is associated with, one of the plurality ofcompromising entities (e.g., compromising entities 160). If the sourcedoes not match, or show an association with, one of the plurality ofcompromising entities, then method 500 continues to step 520. If thesource does match, or is associated with, one of the plurality ofcompromising entities, then method 500 continues to step 522. Step 518is analogous to step 318, but focuses on incoming communications and/orsources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications.

At step 520, a message is sent indicating that the incomingcommunication (e.g., incoming communication 162) may proceed. Step 520is analogous to step 320, but focuses on incoming communications and/orsources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications.

At step 522, it is determined whether to send a message comprising orcausing (1) an alert (e.g. alert 144) or (2) a signal to block (e.g.,signal to block 146) the incoming communication. If it is determinedthat an alert will be sent, method 500 continues to step 524. If it isdetermined that a signal to block the incoming communication will besent, method 500 continues to step 526. Step 522 is analogous to step322, but focuses on incoming communications and/or sources of suchincoming communications as opposed to outgoing communications and/ordestinations of such outgoing communications.

At step 524, a message comprising an alert (e.g., alert 144) is sent.Step 524 is analogous to step 324, but focuses on incomingcommunications and/or sources of such incoming communications as opposedto outgoing communications and/or destinations of such outgoingcommunications. In certain embodiments, the alert may not be sent beforethe incoming communication is sent, as a remote device (such as mobiledevice 110) may need to receive the incoming communication before analert can be generated and/or sent.

At step 526, a message comprising a signal (e.g., signal to block 146)is sent that blocks the incoming communication or causes the incomingcommunication (e.g., incoming communication 162) to be blocked. Step 526is analogous to step 326, but focuses on incoming communications and/orsources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications. Incertain embodiments, “blocking” the incoming communication may comprisequarantining the incoming communication until a further action (such asallowing or terminating the incoming communication) is determined orchosen by a user of the remote device. In other embodiments, theincoming communication may be “blocked” by terminating the incomingcommunication, automatically or otherwise.

In particular embodiments of method 500, a user, a system, and/orcomponent of a system, such as system 100, may perform all steps, anystep, or any part of a step. In addition, a user, system, and/orcomponent of a system may cause an application to perform all steps, anystep, or any part of a step. Some, all, or part of the steps of method500 may be used in conjunction with some, all, or part of the steps ofmethods 300, 400, and/or 600. In certain embodiments of method 500, aproactive intrusion protection process could comprise some or all stepsof method 500, either in the order and arrangement described or not. Inparticular embodiments of method 500, some or all steps of method 500may be partially or fully applicable to both outgoing communications(where the destination may be determined to be associated with acompromising entity) and incoming communications (where the source maybe determined to be associated with a compromising entity).

The steps of method 500 are given as example combinations of steps forproactive intrusion protection, including example steps of executingproactive intrusion protection. Some of the steps may be performed in adifferent order, omitted, or repeated where appropriate. Additionally,one of skill in the art will recognize other combinations of steps,including additional steps, are possible without departing from thescope of the present disclosure.

FIG. 6 illustrates a flowchart of another example method 600 ofproactive intrusion protection against incoming communications 162 froma remote device (e.g., mobile device 110), according to a particularembodiment. In certain embodiments, some or all of the steps of method600 may be performed by components of system 100 illustrated in FIG. 1(for example, application 116 and/or server 130). Some or all of thesteps of method 600 may be used in conjunction with some or all of thesteps of methods 300, 400, and/or 500.

Method 600 begins at step 610. At step 610, an incoming communication(e.g., incoming communication 162) is received. Step 610 is analogous tostep 410, but focuses on incoming communications and/or sources of suchincoming communications as opposed to outgoing communications and/ordestinations of such outgoing communications.

At step 612, information regarding the incoming communication,comprising a source of the incoming communication, is sent via anapplication. Step 612 is analogous to step 412, but focuses on incomingcommunications and/or sources of such incoming communications as opposedto outgoing communications and/or destinations of such outgoingcommunications. In certain embodiments, the information may compriseincoming communication information 164 and/or source information 166.

At step 614, a message regarding the incoming communication (e.g.,incoming communication 162) is received via the application. Step 614 isanalogous to step 414, but focuses on incoming communications and/orsources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications.

At step 616, it is determined whether the message indicates that theincoming communication (e.g., incoming communication 162) may proceed.If it is determined that the incoming communication may proceed, method600 continues to step 618. If it is determined that the incomingcommunication may not proceed, method 600 continues to step 620. Step616 is analogous to step 416, but focuses on incoming communicationsand/or sources of such incoming communications as opposed to outgoingcommunications and/or destinations of such outgoing communications.

At step 618, the incoming communication proceeds. Step 618 is analogousto step 418, but focuses on incoming communications and/or sources ofsuch incoming communications as opposed to outgoing communicationsand/or destinations of such outgoing communications.

At step 620, it is determined whether the message is an alert (e.g.,alert 144) or a signal to block (e.g., signal to block 146) the incomingcommunication. If it is determined that the message is an alert, method600 continues to step 622. If it is determined that the message is asignal to block the incoming communication, method 600 continues to step624. Step 620 is analogous to step 420, but focuses on incomingcommunications and/or sources of such incoming communications as opposedto outgoing communications and/or destinations of such outgoingcommunications.

At step 622, the alert is displayed. In certain embodiments, the alertmay be sent from another component of an intrusion protection system(e.g., alert 144) or the alert may be generated by a remote device, suchas mobile device 110. Step 622 is analogous to step 422, but focuses onincoming communications and/or sources of such incoming communicationsas opposed to outgoing communications and/or destinations of suchoutgoing communications. In certain embodiments, the alert may not bedisplayed before the incoming communication is sent, as a remote device(such as mobile device 110) may need to receive the incomingcommunication before an alert can be generated and/or sent.

At step 624, the incoming communication (e.g., incoming communication162) is blocked. Step 624 is analogous to step 624, but focuses onincoming communications and/or sources of such incoming communicationsas opposed to outgoing communications and/or destinations of suchoutgoing communications. In certain embodiments, “blocking” the incomingcommunication may comprise quarantining the incoming communication untila further action (such as allowing or terminating the incomingcommunication) is determined or chosen by a user of the remote device.In other embodiments, the incoming communication may be “blocked” byterminating the incoming communication, automatically or otherwise.

In particular embodiments of method 600, a user, a system, and/orcomponent of a system, such as system 100, may perform all steps, anystep, or any part of a step. In addition, a user, system, and/orcomponent of a system may cause an application to perform all steps, anystep, or any part of a step. Some, all, or part of the steps of method600 may be used in conjunction with some, all, or part of the steps ofmethods 300, 400, and/or 500. In certain embodiments of method 600, aproactive intrusion protection process could comprise some or all stepsof method 600, either in the order and arrangement described or not. Inparticular embodiments of method 600, some or all steps of method 600may be partially or fully applicable to both outgoing communications(where the destination may be determined to be associated with acompromising entity) and incoming communications (where the source maybe determined to be associated with a compromising entity).

The steps of method 600 are given as example combinations of steps forproactive intrusion protection, including example steps of executingproactive intrusion protection. Some of the steps may be performed in adifferent order, omitted, or repeated where appropriate. Additionally,one of skill in the art will recognize other combinations of steps,including additional steps, are possible without departing from thescope of the present disclosure.

Certain embodiments of the present disclosure may provide one or moretechnical advantages. For example, by sending an alert to a remotedevice before an outgoing communication is sent, e.g., in real time, thesystem increases the likelihood of preventing a user of the remotedevice from divulging data to the compromising entity that represents apotential intrusion threat. Similarly, sending an alert regardingincoming communications, which may also occur in real time, increasesthe likelihood of preventing intrusions. Compared to an institutionsending out a general mass warning to users regarding potentialintrusion threats, for example via email or SMS, a user using a remotedevice as described herein is more likely both to notice the securityconcern pertaining to the incoming and/or outgoing communication and torefrain from sending data to the compromising entity. The effectivenessof the system in preventing communications with compromising entities isfurther increased in situations where the system sends a signal to theremote device to block the remote device from establishing an outgoingcommunication with a compromising entity. Similarly, the system may senda signal to the remote device to block or quarantine incomingcommunications from compromising entities. By increasing theeffectiveness of the intrusion protection system, digitaltelecommunication networks and the devices and hardware connected tothem become more secure.

Furthermore, by transforming data regarding compromising entities intoalerts and signals sent to the remote devices, the embodiments of thepresent disclosure may more effectively prevent intrusions into users'accounts, such as online bank accounts or credit accounts.

An additional technical advantage afforded by particular embodiments ofthe present invention is that intrusion protection can occur overcommunication channels that are more secure than standard email, SMS,MMS, Internet, etc., which may also increase the authenticity ofcommunications. For example, communications between an applicationassociated with an institution and a server (or other component of anintrusion protection system) can be more secure than other methods ofcommunication. This may allow for intrusion protection data, messages,signals, commands, etc. to be sent between components more securely. Asan additional example, communicated data may be transformed to adifferent format and/or protocol such that the communicated data is moresecure. In certain embodiments, the communications between anapplication and another component may be according to an uncommon,secure, and/or proprietary protocol, further increasing data securityand the authenticity of communications. For example, SSL (secure socketslayer) or tokenized communications may be used. Such communications alsoallow each component of the intrusion protection system to authenticatethe incoming communication, which is critical in situations whereintrusions may exist, and particularly if a compromising entity may haveremote access to a remote device. In some embodiments, directcommunication between the application and other components of anintrusion protection system may allow for communications, messages,commands, etc. to be sent to and/or from a remote device in thepossession or control of a compromising entity without the compromisingentity's knowledge and/or permission.

As yet another example advantage, certain embodiments of the presentdisclosure may also provide technical advantages to data networks byreducing the amount of network traffic and/or processing demandsrequired to operate intrusion protection systems, and more particularlyby reducing the amount of data sent by systems to remote devices. Forinstance, identifying individual communications with compromisingentities and sending alerts or signals to block only thosecommunications reduces network traffic compared to mass alerting allusers, or even all users in a certain geographic area.

Other technical advantages of the present disclosure will be readilyapparent to one skilled in the art from the following figures,descriptions, and claims. Moreover, while specific advantages have beenenumerated above, various embodiments may include all, some, or none ofthe enumerated advantages.

Modifications, additions, or omissions may be made to the systems,apparatuses, and processes described herein without departing from thescope of the disclosure. The components of the systems and apparatusesmay be integrated or separated. Moreover, the operations of the systemsand apparatuses may be performed by more, fewer, or other components.The methods may include more, fewer, or other steps. Additionally, stepsmay be performed in any suitable order. Additionally, operations of thesystems and apparatuses may be performed using any suitable logic. Asused in this document, “each” refers to each member of a set or eachmember of a subset of a set.

Although several embodiments have been illustrated and described indetail, it will be recognized that substitutions and alterations arepossible without departing from the spirit and scope of the presentdisclosure, as defined by the appended claims. To aid the Patent Office,and any readers of any patent issued on this application in interpretingthe claims appended hereto, applicants note that they do not intend anyof the appended claims to invoke 35 U.S.C. § 112(f) as it exists on thedate of filing hereof unless the words “means for” or “step for” areexplicitly used in the particular claim.

The invention claimed is:
 1. A system, comprising: a memory operable tostore: data identifying a plurality of compromising entities, where thedata comprises at least one of a device identifier or a contactidentifier; and a processor communicatively coupled to the memory andoperable to: receive, from a remote application associated with a remotedevice and with the system, information regarding a pending outgoingcommunication, where the information comprises a MAC address associatedwith a destination of the outgoing communication; determine that anentity associated with the destination of the outgoing communicationmatches at least one of the plurality of compromising entities based, atleast in part, on comparing: MAC addresses associated with the pluralityof compromising entities; and the MAC address associated with thedestination of the outgoing communication; and in response todetermining that the entity associated with the destination of theoutgoing communication matches at least one of the plurality ofcompromising entities, determine that the remote device is potentiallycompromised; send, to the remote application associated with the system,and before the outgoing communication is sent, a signal configured toblock the outgoing communication, wherein the signal is furtherconfigured to: block a plurality of future communications sent from theremote device in response to determining that the remote device ispotentially compromised; and disable one or more features of the remotedevice.
 2. The system of claim 1, wherein the information is received aspart of a communication formatted to be protected by at least one of SSL(secure sockets layer) and tokenization.
 3. The system of claim 1,wherein the signal is sent as part of a communication formatted to beprotected by at least one of SSL (secure sockets layer) andtokenization.
 4. The system of claim 1, wherein the processor receivesan authentication message confirming that the signal was received by alegitimate application.
 5. The system of claim 1, wherein: at least someof the information regarding the destination of the outgoingcommunication comprises a phone number; and the entity associated withthe destination of the outgoing communication is determined, based atleast in part, on comparing: the phone number; and the data identifyinga plurality of compromising entities, where the data comprises aplurality of phone numbers.
 6. The system of claim 1, wherein the signalcomprises instructions for the remote application to block the outgoingcommunication.
 7. The system of claim 1, further comprising: a rulesengine, where a rule of the rules engine must be satisfied before thesignal may be sent; and wherein the processor is further operable to:determine that a rule associated with the rules engine applies, wherethe rule holds that only signals associated with threats above athreshold level of severity may be sent; and determine that the signalis associated with a threat above the threshold level of severity.
 8. Asystem, comprising: a memory operable to store: data identifying aplurality of compromising entities, where the data comprises at leastone of a device identifier or a contact identifier; and a processorcommunicatively coupled to the memory and operable to: receive, from aremote application associated with a remote device and with the system,information regarding a pending outgoing communication, where theinformation comprises a MAC address associated with a destination of theoutgoing communication; determine that an entity associated with thedestination of the outgoing communication matches at least one of theplurality of compromising entities based, at least in part, oncomparing: MAC addresses associated with the plurality of compromisingentities; and the MAC address associated with the destination of theoutgoing communication; and in response to determining that the entityassociated with the destination of the outgoing communication matches atleast one of the plurality of compromising entities, determine that theremote device is potentially compromised; send, to the remoteapplication associated with the system, and before the outgoingcommunication is sent, an alert indicating that the destination of theoutgoing communication matches a compromising entity; and send, to theremote application associated with the system, and before the outgoingcommunication is sent, a signal to: block a plurality of futurecommunications sent from the remote device in response to determiningthat the remote device is potentially compromised; and disable one ormore features of the remote device.
 9. The system of claim 8, whereinthe information is received as part of a communication formatted to beprotected by at least one of one of SSL (secure sockets layer) andtokenization.
 10. The system of claim 8, wherein the alert is sent aspart of a communication formatted to be protected by at least one of oneof SSL (secure sockets layer) and tokenization.
 11. The system of claim8, wherein the processor receives an authentication message confirmingthat the alert was received by a legitimate application.
 12. The systemof claim 8, wherein: at least some of the information regarding thedestination of the outgoing communication comprises a phone number; andthe entity associated with the destination of the outgoing communicationis determined, based at least in part, on comparing: the phone number;and the data identifying a plurality of compromising entities, where thedata comprises a plurality of phone numbers.
 13. The system of claim 8,wherein the alert comprises instructions for the remote application togenerate a second alert on the remote device.
 14. The system of claim 8,further comprising: a rules engine, where a rule of the rules enginemust be satisfied before the alert may be sent; and wherein theprocessor is further operable to: determine that a rule associated withthe rules engine applies, where the rule holds that only alertsassociated with threats above a threshold level of severity may be sent;and determine that the alert is associated with a threat above thethreshold level of severity.
 15. A method, comprising: storing dataidentifying a plurality of compromising entities, where the datacomprises at least one of a device identifier or a contact identifier;receiving, from a remote application associated with a remote device,information regarding a pending outgoing communication, where theinformation comprises a MAC address associated with a destination of theoutgoing communication; determining that an entity associated with thedestination of the outgoing communication matches at least one of theplurality of compromising entities based, at least in part, oncomparing: MAC addresses associated with the plurality of compromisingentities; and the MAC address associated with the destination of theoutgoing communication; and in response to determining that the entityassociated with the destination of the outgoing communication matches atleast one of the plurality of compromising entities, determining thatthe remote device is potentially compromised; sending to the remoteapplication associated with the remote device, and before the outgoingcommunication is sent, a signal configured to: block the outgoingcommunication, wherein the signal is further configured to block aplurality of future communications sent from the remote device inresponse to determining that the remote device is potentiallycompromised; and disable one or more features of the remote device. 16.The method of claim 15, wherein the information is received as part of acommunication formatted to be protected by at least one of one of SSL(secure sockets layer) and tokenization.
 17. The method of claim 15,wherein the signal is sent as part of a communication formatted to beprotected by at least one of one of SSL (secure sockets layer) andtokenization.
 18. The method of claim 15, further comprising: receivingan authentication message confirming that the signal was received by alegitimate application.
 19. The method of claim 15, wherein the signalcomprises instructions for the remote application to block the outgoingcommunication.
 20. The method of claim 15, further comprising: storing arules engine, where a rule of the rules engine must be satisfied beforethe signal may be sent; determine that a rule associated with the rulesengine applies, where the rule holds that only signals associated withthreats above a threshold level of severity may be sent; and determinethat the signal is associated with a threat above the threshold level ofseverity.